Practices that embrace EHR security regulations inspire patient confidence

Shalmali Pal
Jul 13, 2006

Recent headlines about stolen veterans' medical records privacy haven't done much to quell the fears of the general population that their medical privacy is under constant threat. As a result, practice managers should be prepared to deal with patients who are fairly certain that their healthcare information is mishandled, said Robert Tennant from the Medical Group Management Association (MGMA).

In a talk at the MGMA-sponsored 2006 Health Care Information Technology Forum in San Francisco, Tennant offered an overview of the privacy challenges that modern practices face, and how these challenges can be met while maintaining compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations.

Tennant, a senior policy advisor in the MGMA government affairs department, started by highlighting an article in a popular consumer magazine that focused on medical privacy and electronic health records (EHR).

"The bottom line with this article was 'Be very wary of your medical practice because they may be misusing your medical data,'" he explained, adding that there have already been 20,000 complaints regarding medical privacy violations filed with the U.S. Office for Civil Rights.

Accentuate the positive

The first step a practice can take to gain consumer confidence is to offer patients a privacy notice that makes sense. Tennant suggested that practice managers cast a critical eye over their current notices.

"How many people have read their own privacy notice in the last six months?" he asked his audience. "Most of the time, it's (written) in this canned language that you got somewhere from the Internet. It says nothing about your actual practice. Read (the privacy notice) over as if you were two people: (A) Your average patient and (B) a patient who just read (a news report on privacy) and is a little concerned about it. Read (the notice) over and make sure that it's actually giving out information."

While the law requires that the privacy notice is posted in the waiting room, Tennant suggested doing so with a dynamic poster presentation, rather than an easily ignored piece of paper tacked up in the corner of the room.

"What some practices have done is to create a privacy notice poster that explains 'Your rights as a patient in this clinic.' Instead of having HIPAA as a negative, turn it into a positive about the importance you place on privacy and security," he pointed out.

Also, a practice with a Web site is required to post the privacy notice on that site. But even with these public and prominent declarations, the patient should still be offered a paper copy of the privacy notice, Tennant said.

Staff training with Kermit the Frog

On the most basic level, everyone in the practice, including physicians, should be discouraged from discussing patient information in the waiting room, Tennant said.

Less clear is how to decide when medical information should be shared. Patients need reassurance that their health data is not falling into the wrong hands or being held back from the right ones. Staff should be able to make the distinction between those who can have access to health information (referring physicians, for example) and those who may not (family members, employers), Tennant said.

One misconception that medical staff often has is that they are free to peruse all patient information simply because they are employees. "For example, if a (physician's) neighbor is being treated by one of his colleagues, then he has a right to look at (that chart) and that is not the case," Tennant said.

Another example of an in-house HIPAA violation is when real patient data is used for training people on an EHR system. To address that issue, one MGMA session attendee said that she built an entire health record for Kermit the Frog, which is then used for training and demonstration purposes.

Finally, the front office staff needs to be well-versed in addressing -- not dismissing -- patients who lodge a privacy complaint. Staff don't have to be trained in the minutiae of HIPAA, but should be able to listen to the patient (although not in the waiting area) and guide them to the practice's privacy officer, who is willing to apologize for the error if appropriate, Tennant said.

"It's the old 98-1-1 rule," he said. "Ninety-eight percent of your patients have never heard of HIPAA, 1% has heard about it and couldn't care less, and 1% has heard about it and is concerned. If you get one of that 1%, they are the ones that are going to complain ... to your front-end staff. They are the ones who are more likely to go home and submit a complaint to the government. But often, people won't file a complaint if they feel that someone is listening to them."

'What if?'

While privacy issues directly affect patients, security affects a practice. Historically, security controls have been geared toward paper records.

"There's a whole new set of problems when it comes to security," Tennant said. HIPAA security covers three main areas: administrative (organizational practices), physical safeguards (physical access), and technical safeguards (data integrity and confidentiality).

When it comes to addressing technical and physical safeguards, Tennant suggested that the two buzzwords for every practice manager are "What if."

What if the server crashes, which is technically a HIPAA violation? What if a physician's laptop or PDA is lost or damaged? What if employees leave the practice and take key cards or passwords with them? What if the practice's financial data is inaccessible for two weeks?

"Always ask these questions and always have an answer," he advised.

For a practice that sends medical information offsite, either for transcription, coding, or, in the case of imaging, interpretation, business associate agreements must be in place. For extra protection, nonhealthcare contractors (such as the cleaning crew) should sign confidentiality agreements, Tennant suggested. Ultimately, it is the responsibility of a practice to the maintain privacy and security of the data, he said.

Finally, Tennant pointed out that a list of EHR product vendors that have been certified by the Certification Commission for Health Information Technology (CCHIT) is scheduled for release in July 2006.

"My recommendation is don't buy a system that isn't (CCHIT) certified. You don't know what you are getting if it's not certified," he said. In addition, eligibility for pay-for-performance or Stark exception rules may not apply to a practice that uses non-CCHIT-certified products, he said.

Beautiful HIPAA

According to an MGMA survey of more than 34,000 U.S. practices, 14.1% have adopted EHR, with a higher rate of adoption in larger outfits. The cost of converting to EHR is $33,000 per full-time physician. Maintenance of EHR can run up to $1,500 a month and a practice should anticipate a 15% drop in productivity for at least one year postimplementation.

In other words, converting to EHR is not a simple task, Tennant said. "Those are tough numbers and it's tough for you to go to your physicians and say 'Who's ready for the decrease in productivity? Who's ready for these incredible costs?'" he said. "But here's the reality: If you want better healthcare and a cheaper healthcare system overall, you need HIT."

To that end, there is a new emphasis in Washington, DC, on HIT, he said, including the creation of the Office of National Coordinator for HIT. Also, the American Health Information Community (AHIC) serves as an advisory group for developing HIT standards and interoperability. And the National Health Information Network has spurred the creation of regional health information organizations (RHIOs) to interconnect community-based healthcare systems. Lastly, in July 2005, the Senate approved the Wired for Health Care Quality Act."

Tennant referred attendees to a few HIT resources:

"The HIPAA security regulation is beautifully written in that it tells you in broad strokes what to do," Tennant concluded. "But it leaves it up to you how best to handle it. For example, it tells you that you must protect your server. You could have a chain on the door; you could have a guard with an Uzi; you could have German shepherd (dog) out front. They don't care how you do it. The more you can reassure your clients that you are protecting their data, the better off you'll be."

By Shalmali Pal
AuntMinnie.com
July 14, 2006

Related Reading

Health IT bill moves forward in U.S. Congress, May 25, 2006

HIPAA compliance remains inconsistent, April 12, 2006

Dealing with HIPAA changes in 2006, April 6, 2006

U.S. Senate committee moves on health information technology, July 21, 2005

Copyright © 2006 AuntMinnie.com

Latest in Practice Management
Asrt Be Seen Campaign 2024
State of the RT profession more palpable than ever
April 24, 2024
Screenshot (1150)
Radiologists can take steps toward environmental sustainability
April 23, 2024
My BreastAI Suite by GE HealthCare
Sponsored
My BreastAI Suite by GE HealthCare
April 2, 2024
Asrt Be Seen Campaign 2024
What's brewing in RT and RRA legislation, policy, and standards?
April 22, 2024
Related Stories
2006 07 07 13 49 08 706
Practice Management
SCHIP: A possible model for solving the problem of the uninsured and its effect on radiology
2006 07 03 11 53 01 706
Practice Management
Canadian Medicare: virtues and vulnerabilities
2006 05 31 16 08 26 706
Practice Management
Radiologists ride Rocky Mountain high in SalaryScan survey
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
Sponsor Content
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
More in Practice Management
State of the RT profession more palpable than ever
By Liz Carey
As the ASRT prepares to announce changes to its professional-entry pathways and practice standards at its June meeting in Orlando, FL, Board President Brandon Smith said the state of the field is "more palpable than ever."
April 24, 2024
Asrt Be Seen Campaign 2024
Radiologists can take steps toward environmental sustainability
By Amerigo Allegretto
Radiology departments can take proactive steps to promote environmental sustainability.
April 23, 2024
Screenshot (1150)
Mobile health screening model lowers costs, promotes sustainability
By Amerigo Allegretto
A new cancer screening service model can reduce costs and improve environmental sustainability for breast cancer screening and other screening exams.
April 22, 2024
Breast Screening Van 400
What's brewing in RT and RRA legislation, policy, and standards?
By Liz Carey
A range of federal and state legislation and other developments in the works could have a significant impact on radiologic technologists (RTs) and registered radiology assistants (RRAs).
April 22, 2024
Asrt Be Seen Campaign 2024
Pisano speaks with AuntMinnie.com on new ARPA-H leadership role
By Amerigo Allegretto
Etta Pisano, MD, spoke with AuntMinnie.com on leading the Advancing Clinical Trials Readiness initiative, part of ARPA-H.
April 18, 2024
Screenshot (1143)
AdvaMed urges Congress prioritize R&D tax credit
By AuntMinnie.com staff writers
Medical technology trade association Advanced Medical Technology Association (AdvaMed) is urging Congress to pass a tax provision to change how small businesses deduct their research and development expenses.
April 17, 2024
Us Flag
ACR lays off 11% of workforce
By Kate Madden Yee
The American College of Radiology (ACR) has reduced its workforce by 11%, according to a statement released by the organization.
April 16, 2024
Acr Logo 2023 400
MICI Q2 2024: Radiology administrators remain optimistic about growth
By Kate Madden Yee
Radiology administrators are confident that diagnostic and interventional radiology will continue to grow as a profit center, according to The MarkeTech Group's Medical Imaging Confidence Index (MICI) report for the second quarter of 2024.
April 15, 2024
Graph Arrow Up
Radiologists experience modest pay increase
By Will Morton
Radiologist have jumped up a spot in earnings among the top 10 specialists in the U.S., according to a Medscape survey.
April 12, 2024
Cash
NIH: Occupational radiation dose to RTs needs careful monitoring
By Kate Madden Yee
Occupational doses to radiologic technologists imparted by assistance with fluoroscopically-guided interventional procedures are generally low, but they do need careful monitoring, a team of National Institute of Health (NIH) researchers has found.
April 12, 2024
Radiation Logo
UltraCon: Work-related MSK disorders tied to sonographer burnout
By Amerigo Allegretto
Work-related musculoskeletal (MSK) disorders are tied to work-related burnout among sonographers, according to research highlighted April 10 at UltraCon.
April 11, 2024
Jennifer Bagley from the University of Oklahoma Health Sciences Center presents results at UltraCon suggesting that work-related musculoskeletal disorders are tied to burnout among sonographers.
HAP secures New Jersey revenue cycle services contract
By AuntMinnie.com staff writers
Healthcare Administrative Partners (HAP) announced it will take over all core revenue cycle services on behalf of New Jersey-based Health Village Imaging.
April 10, 2024
Keyboard Key Billing Management
Page 1 of 1166
Next Page